网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (1): 143-156.doi: 10.11959/j.issn.2096-109x.2021015
孙澄, 胡浩, 杨英杰, 张红旗
修回日期:
2020-10-07
出版日期:
2021-02-15
发布日期:
2021-02-01
作者简介:
孙澄(1991- ),男,江苏常州人,信息工程大学硕士生,主要研究方向为APT检测跟踪。基金资助:
Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG
Revised:
2020-10-07
Online:
2021-02-15
Published:
2021-02-01
Supported by:
摘要:
针对现有威胁分析模型无法兼顾高级安全威胁的宏观发展趋势及微观传播路径的问题,建立了一种双层威胁分析模型TL-TAM。模型上层刻画严重程度由低到高的威胁发展趋势,下层融合技术漏洞攻击、社会工程攻击及网络扫描攻击,刻画威胁传播路径。据此,提出了威胁预测分析算法。实验结果表明,模型能够对威胁传播进行多层面综合分析,并且克服了基于攻击图的威胁分析模型局限于技术漏洞攻击的缺陷,更加适用于高级安全威胁的动态跟踪分析。
中图分类号:
孙澄, 胡浩, 杨英杰, 张红旗. 融合宏观与微观的双层威胁分析模型[J]. 网络与信息安全学报, 2021, 7(1): 143-156.
Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG. Two-layer threat analysis model integrating macro and micro[J]. Chinese Journal of Network and Information Security, 2021, 7(1): 143-156.
表2
混合原子攻击本体主要对象属性Table 2 Main object properties of HAOT"
对象属性名 | 定义域 | 值域 | 含义 |
has | Device | Component | 设备实例IndvDev拥有组件实例IndvCmpt |
hasAccess | Device | Component | 设备实例IndvDev拥有组件实例IndvCmpt的访问权限 |
exist | Component | Vulnerability | 组件实例IndvCmpt存在脆弱性实例IndvOptr |
exploit | Attack | Vulnerability | 攻击实例IndvAtt利用脆弱性实例IndvOptr |
hasPrivilegeUser | Device | Device | 设备实例IndvDev拥有组件实例IndvCmpt的用户权限 |
hasPrivilegeRoot | Device | Device | 设备实例IndvDev拥有组件实例IndvCmpt的完全控制权限 |
hasCompromised | Device | Component | 设备实例IndvDev损害了组件实例IndvCmpt |
trustedBy | Device | Operator | 设备实例IndvDev受操作管理人员实例IndvOptr信任 |
launchAttack_{name}_{vul} | Device | Device | 设备实例IndvDev向组件实例IndvCmpt发起攻击 |
注:“launch Attack”命名格式中,name为攻击名称,vul为脆弱性,技术漏洞以cve编号格式进行标识,人员弱点采取自编号模式,以“hw_code”格式标识,当攻击属于网络扫描类时,vul以“null”标识。 |
表3
实例提取Table 3 Extracted individuals"
Device | Component | Vulnerability | ModifiedScore | Attack |
Firewall 4 | Management Software(MS) | CVE-2019-1642 (恶意脚本注入) | 6.1 | ScriptInjection |
Admin Station 1 | Google Chrome | CVE-2018-6116 (越界访问内存) | 6.5 | CodeExecution |
Web Server 1 | Apache Tomcat Native(ATN) | CVE-2018-8019 (过期证书认证) | 7.4 | CertAbuse |
Email Server 1 | Apache James JMX(JMX) | CVE-2017-12628 (本地权限提升) | 7.8 | PriElevation |
Apache James Server(AJS) | CVE-2015-7611 (操作系统命令注入) | 8.1 | CommandInjection | |
WorkStation 1 | Microsoft outlook | CVE-2013-3870 (远程权限获取) | 9.1 | CodeExecution |
Operator | hw-001(安全意识薄弱) | 4.0 | Waterholing | |
WorkStation 2 | MsMpEng | CVE-2017-0290(远程权限获取) | 9.3 | CodeExecution |
File Server 1 | Microsoft Windows | CVE-2019-0543 (本地权限提升) | 7.8 | PriElevation |
Data Server 1 | S-CMS | CVE-2019-6805 (SQL命令注入) | 9.8 | SQLInjection |
表4
业务访问关系提取Table 4 Extracted relations"
From Individual | To Individual | Object Properties |
Web Server | S-CMS | hasAccess(web_1,DS_1_S-CMS) |
Management Software(MS) | hasAccess(web_1, FW_4_MS) | |
Email Server | Operator | trustedBy(ES_1,WS_1_operator) |
Management Software(MS) | hasAccess(ES_1, FW_4_MS) | |
WorkStation 1 | File Server | hasPrivilegeUser(WS_1,FS_1) |
WorkStation 2 | hasAccess(WS_1, WS_2_MsMpEng) | |
WorkStation 2 | File Server | hasAccess(WS_2,FS_1_windows) |
WorkStation 1 | hasPrivilegeUser(WS_2, WS_1) | |
Admin Station | Data Server | hasPrivilegeRoot(AS_1,DS_1) |
Firewall 4 | Admin Station | hasAccess (FW_4,AS_1_chrome) |
表6
威胁发展趋势预测Table 6 Prediction of threat development trend"
被攻陷设备d | 威胁发展现状s | 下步目标d' | 威胁传播路径ap' | 目标资产预测 |
web_1 | 中危 | DS_1 | a2→a7 | 数据服务器的业务数据 |
ES_1 | 低危 | WS_1 | a6→a9→a11→a13→a15 | 文件服务器的机密文件 |
FW_4 | 低危 | AS_1 | a10→a12→a14 | 数据服务器的业务数据 |
AS_1 | 高危 | DS_1 | a14 | 数据服务器的业务数据 |
DS_1 | 高危 | — | — | 数据服务器的业务数据 |
WS_1 | 中危 | FS_1 | a13→a15 | 文件服务器的机密文件 |
WS_2 | 低危 | FS_1 | a0 | 文件服务器的机密文件 |
FS_1 | 高危 | — | — | 文件服务器的机密文件 |
[1] | 赵志岩, 纪小默 . 智能化网络安全威胁感知融合模型研究[J]. 信息网络安全, 2020,20(4): 87-93. |
ZHAO Z Y , JI X M . Research on the intelligent fusion model of network security situation awareness[J]. Netinfo Security, 2020,20(4): 87-93. | |
[2] | 金辉, 张红旗, 张传富 ,等. 复杂网络中基于 QRD 的主动防御决策方法研究[J]. 信息网络安全, 2020,20(5): 72-82. |
JIN H , ZHANG H Q , ZHANG C F ,et al. Research on active defense decision-making method based on QRD in complex network[J]. Netinfo Security, 2020,20(5): 72-82. | |
[3] | LI M , HUANG W , WANG Y ,et al. The study of APT attack stage model[C]// 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS). 2016. |
[4] | CHEN P , DESMET L , HUYGENS C . A study on advanced persistent threats[C]// IFIP International Conference on Communications and Multimedia Security. 2014: 63-72. |
[5] | USSATH M , JAEGER D , CHENG F ,et al. Advanced persistent threats:behind the scenes[C]// 2016 Annual Conference on Information Science and Systems (CISS). 2016: 181-186. |
[6] | 贺诗洁, 黄文培 . APT 攻击详解与检测技术[J]. 计算机应用, 2018,38(S2): 170-173. |
HE S J , HUANG W P . APT attacks details and detection technology[J]. Journal of Computer Applications, 2018,38(S2): 170-173. | |
[7] | HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare & Security Research, 2011,1(1): 80. |
[8] | SWILER L P , PHILLIPS C . A graph-based system for network-vulnerability analysis[R]. 1998. |
[9] | 吴迪, 连一峰, 陈恺 ,等. 一种基于攻击图的安全威胁识别和分析方法[J]. 计算机学报, 2012,35(9): 1938-1950. |
WU D , LIAN Y F , CHEN K ,et al. A security threats identification and analysis method based on attack graph[J]. Chinese Journal of Computers, 2012,35(9): 1938-1950. | |
[10] | WU S , ZHANG Y , CAO W ,et al. Network security assessment using a semantic reasoning and graph based approach[J]. Computers & Electrical Engineering, 2017: 96-109. |
[11] | WANG L , LIU A , JAJODIA S . Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts[J]. Computer communications, 2006,29(15): 2917-2933. |
[12] | AHAMADINEJAD S H , JALILI S , ABADI M . A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs[J]. Computer Networks, 2011,55(9): 2221-2240. |
[13] | 刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144. |
LIU W X , ZHENG K F , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144. | |
[14] | 杨英杰, 冷强, 常德显 ,等. 基于属性攻击图的网络动态威胁分析技术研究[J]. 电子与信息学报, 2019,41(8): 1838-1846. |
YANG Y J , LENG Q , CHANG D X ,et al. Research on network dynamic threat analysis technology based on attribute attack graph[J]. Technology Based on Attribute Attack Graph Journal of Electronics & Information Technology, 2019,41(8): 1838-1846. | |
[15] | 杨英杰, 冷强, 潘瑞萱 ,等. 基于属性攻击图的动态威胁跟踪与量化分析技术研究[J]. 电子与信息学报, 2019,41(9): 2172-2179. |
YANG Y J , LENG Q , PAN R X ,et al. Research on dynamic threat tracking and quantitative analysis[J]. Technology Based on Attribute Attack Graph Journal of Electronics & Information Technology, 2019,41(9): 2172-2179. | |
[16] | 胡浩, 叶润国, 张红旗 ,等. 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017,38(10): 122-134. |
HU H , YE R G , ZHANG H Q ,et al. Quantitative method for network security situation based on attack prediction[J]. Journal on Communications, 2017,38(10): 122-134. | |
[17] | 樊雷, 余江明, 雷英杰 . 面向APT攻击的分层表示模型[J]. 计算机工程, 2018,44(8): 155-160. |
FAN L , YU J M , LEI Y J . Hierarchical representation model for APT attack[J]. Computer Engineering, 2018,44(8): 155-160. |
[1] | 孙澄, 胡浩, 杨英杰, 张红旗. 基于网络防御知识图谱的0day攻击路径预测方法[J]. 网络与信息安全学报, 2022, 8(1): 151-166. |
[2] | 吕尧, 侯金鹏, 聂冲, 苏铓, 王彬, 蒋鸿玲. 基于SM9算法的部分盲签名方案[J]. 网络与信息安全学报, 2021, 7(4): 147-153. |
[3] | 张斌,李立勋,董书琴. 基于改进SOINN算法的恶意软件增量检测方法[J]. 网络与信息安全学报, 2019, 5(6): 21-30. |
[4] | 朱建明,杨鸿瑞. 金融科技中数据安全的挑战与对策[J]. 网络与信息安全学报, 2019, 5(4): 71-79. |
[5] | 许传丰,林晖,郭烜成,汪晓丁. 基于NFV的新的协作式DDoS防御技术[J]. 网络与信息安全学报, 2019, 5(2): 66-76. |
[6] | 王爽,陆月明. 基于旋转门算法的安全网关控制信息采集策略[J]. 网络与信息安全学报, 2018, 4(10): 59-67. |
[7] | 胡军台,武振宇,付晓,王逸超. 基于博弈的异构控制器云安全策略研究[J]. 网络与信息安全学报, 2018, 4(9): 52-59. |
[8] | 杨峻楠,张红旗,张传富. 基于不完全信息随机博弈的防御决策方法[J]. 网络与信息安全学报, 2018, 4(8): 12-20. |
[9] | 燕昺昊,韩国栋. 基于深度循环神经网络和改进SMOTE算法的组合式入侵检测模型[J]. 网络与信息安全学报, 2018, 4(7): 48-59. |
[10] | 刘文彦,霍树民,仝青,张淼,齐超. 网络安全评估与分析模型研究[J]. 网络与信息安全学报, 2018, 4(4): 1-11. |
[11] | 陈小雨,陆月明. 基于多维空间动态划分与RFC的包分类改进算法[J]. 网络与信息安全学报, 2018, 4(3): 35-41. |
[12] | 张浩城,吴晓洁,唐翔,舒润萱,丁天琛,董笑菊. 基于可视分析的网络异常检测系统[J]. 网络与信息安全学报, 2018, 4(2): 40-54. |
[13] | 胡向东,刘可,张峰,林家富,付俊,郭智慧. 基于页面敏感特征的金融类钓鱼网页检测方法[J]. 网络与信息安全学报, 2017, 3(2): 31-38. |
[14] | 贾佳,延志伟,耿光刚,金键. BGP路由泄露研究[J]. 网络与信息安全学报, 2016, 2(8): 54-61. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|